Hi, I am creating a standalone application that processes wireshark text files. The issue that I am facing is that when I save the wireshark capture as a K12 text file and open it in an editor the time of capture it shows above the packet is different from the time of capture if I open the same text file in wireshark tool. Please let me know what could be done in this regards. Thanks. asked 16 Aug '16, 06:52  shobhit_garg91 showing 5 of 6 show 1 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
What is the difference in the timestamps? Is it the same as your timezone difference from UTC?
Hi, I am in ET so the time difference is 4 hours. In case of wireshark though, the time difference is 5 hours. Thanks.
It is summer, so some mishandling of DST is likely somehow responsible for the remaining hour.
When you capture, Wireshark timestamps the frames using UTC, but using
View->Time Display Format, you may choose whether you want to have the timestamps displayed in UTC or in local time of the machine where you view the capture.If you save a capture file as K12 text, the timestamps are in UTC, like in the original capture.
So try to change the display mode in Wireshark from local time to UTC and check whether the timestamps shown in Wireshark change by 5 hours as well. If yes, it is enough to explain why the DST is not taken into account, which may be related to your operating system settings.
Hi Sindy, Thanks for your inputs. I checked the time in wireshark by converting it to UTC format. The time gap is now reduced by 4 hours, but there is still a difference of 1 hour between my wireshark capture and the equivalent capture saved in K-12 format.
Thanks.
in that case:
Hi Sindy, My wireshark version is: 2.0.4 my OS version is: Windows 7 my original capture format is: PCAPNG the original file was captured in the same environment.
Thanks.